Virus, Worms & Other Invaders

Creating damaging viruses used to take esoteric skills, but today it's as easy as, well, as easy as Microsoft Visual Basic.




Viruses, Worms and Trojans have been with us for many years, but rarely did one show up in one of our clients' systems. Now, we're seeing a serious attack every week or two. What changed? Several things changed:
  • Most of our clients' systems have become remarkably similar, in fact essentially identical. As Microsoft consolidates it's desktop monopoly, variation becomes difficult.
  • E-mail has become a critical and necessary business tool - and a casual source of diversion for employees.
  • Automation features have proliferated in Microsoft's products as a means of integrating what were once very separate applications.
Combined with these factors is Microsoft's deliberate avoidance of security measures or any restriction on what integration and automation features can do. Microsoft wants these features to be as easy to use as possible so users and developers become dependent on them. It is precisely these features that lock out all significant competitors. Security measures would interfere with this ease of use, with consequent risks to their monopoly.

Since the automation / integration features are so easy to use, even rank novices can write effective worms and viruses using them (as was the case with the ILOVEYOU worm). Since they are unrestricted, they can do anything with your computer you could do. Fortunately, none of the fast moving worms we have recently experienced has been designed to do much damage, but that will change.

Definition of Threats

  • Virus - program code that propagates itself by attaching itself to or embedding itself within some other program. A program that is often passed from computer to computer is selected. Pirated programs posted for "free download", screen savers and games are long time favorites. The term "virus" is also loosely used to designate all the other threats on this list.
  • Worm - differs from a virus in that it is a stand-alone program not attached to any other program. It usually propagates itself actively by using networks, e-mail systems and other data connections.
  • Trojan - a program that hides on your computer and allows it's perpetrator to access your computer and its data at will. Many Trojans will use your Internet connection to "phone home", announcing their presence and your Internet address to the perpetrator, or will simply email specific files. Trojans may be propagated as viruses or worms.
  • Hostile Code - scripts or programs that can be transferred to your computer within HTML e-mail, as e-mail attachments, or by visiting a hostile Web site. Hostile code can do anything you could do from the keyboard.
Note in particular the use of Worms to deliver Trojans, planting them in your system, then going on to other systems. This is happening today to lay the groundwork for DDoS (Distributed Denial of Service) attacks on major Internet sites.

How You Get Infected

Boot Sector Virus: These were very popular when the floppy disk was much more widely used. If you turn on your computer with an infected floppy in the A: drive, the program runs and infects the boot sector of your hard disk. From then on, any floppy you put in the A: drive becomes infected and will spread the virus to other computers.

File Infectors: When you run an infected program on your computer. It infects as many other programs as it can. Any of these programs can then infect another computer. Favorite ways to spread this class of virus is to infect pirated programs posted for "free download". Screen savers and other novelty programs are also favorites.

Word/Excel Macro Virus: These depend on automation features of Microsoft programs to run. they may infect any Word or Excel document and can do anything any other program can, including reformat your hard disk.

Hostile Code: Microsoft Windows provides an environment where practically any script or program is allowed to run in privileged mode, and Windows itself includes many powerful system tools these programs can exploit, so they don't have to bring much with them. Hostile code can be carried by email or inserted into your machine by visiting the perpetrator's Web site, or a Web site he has compromised.


The exact effect of many viruses on a Windows system is unpredictable because Windows itself is so disorderly. A virus that crashes one system completely may cause minor inconsistencies on another and cause no noticable effect on a third. Many viruses try to hide completely and cause no disruption, because they are designed to do something fun (like format your hard disk) on a particular date.

The majority of viruses do nothing except propegate and let their presence be known on the systems they infect, but they still cost a lot of money to get rid of. You can't just leave them since you can't know what they might do. There are often many versions of a specific virus, some annoying, and others destructive.

Viruses must be removed with great care and by established procedures. A good anti-virus program can remove many, but not all. Boot sector viruses, for instance, are easily removed by booting on a DOS floppy, then typing the undocumented fdisk /mbr command. In response, boot sector virus have been developed that prevent you from accessing your hard disk at all once you have used this command to remove them. Disk access had been diverted through the virus, and it isn't there any more.


Trojans (short for "Trojan Horse"), are hostile code that permanently compromises your system, allowing access and control by an outside perpetrator. Once a Trojan is installed, your computer can be used to launch attacks against other computers, or can be used to gather private data from your hard disk or network.

A particularly notable Trojan is covered in our article Cult of the Dead Cow, but there are many others. Many Trojans today are designed for a single purpose, such as obtaining the cookies file from your browser (which will expose passwords and may allow credit card numbers to be obtained), or for launching DDoS (Distributed Denial of Service) attacks against Internet sites using your computer.

[ UPDATE: - New Trojan, Wrapster, turns Napster into a major security hole. ]

Fast Moving Worms

We cannot over emphasize that fast moving worms like Melissa, ILOVEYOU, Life_Stages, Pretty Park and the like affect only Microsoft Windows environments. They are made possible by the tight integration between all Microsoft products and the deliberate lack of security in design.

Since all systems running Windows are now nearly identical, a worm or virus can depend on having exactly the environment it needs wherever it goes. Since e-mail and Internet connectivity are now essential to business and in wide personal use, propegation is swift and sure.

Microsoft has denied all responsibility and has strongly stated they will not change the behavior of their product integration just because of the multi-billion dollar losses their customers have suffered in attacks. The value of locking out competitors far more important to them than economic losses to customers.

Microsoft's reasoning is perfectly sound. Most of their customers have completely failed to associate cause with effect, and the few who have have come up with endless rationalizations for why "we have to use Microsoft Office". The press certainly isn't going to push the point and risk their advertising revenue - and as long as competitors are locked out, customers won't have any choice anyway.

Microsoft apologists loudly claim that if any other environment were as popular as Windows it would be subject to similar attacks. This is not true. No other networked environment allows untrusted programs to run automatically, and certainly doesn't allow them to run in privileged mode where they can affect system files and directories. Nor do they have the tight "single vendor" integration Microsoft products have.

There's a joke going around about a Linux virus that works on the honor system. It asks the user to please e-mail it to a bunch of other people, and then please delete a bunch of system files at random.

[ UPDATE: 18-May-00 - after a U.S. Congressman lambasted anti-virus industry execs to their faces, and suggested some measures Microsoft's high IQ developers were apparently unable to think of, Microsoft reacted by anouncing patches for Outlook that partially relieve its vulnerability.

Microsoft has chosen to implement these features as an "all or nothing" solution. You either remain vulnerable or give up Office integration and automation features entirely - and you can't uninstall once you've installed. They allow no middle ground. The obvious explanation is to be able to say "We have fixed the problem", but to make the fix so onerous few will implement it. After the next attack they can say, "People didn't install the fix we made available - it's their own fault".

More information on the security patch and links to Microsoft's download site can be found in our news item Microsoft's Love Bug Fix. ]

Some measures developed by other companies, such as JustBeFriends (created in response to the I Love You worm), will protect the network and email system by stopping propegation, but will not protect the machine that has become infected. Using an e-mail program other than Outlook (we recommend PMMail) will also have this effect.

Of course, using an alternative office suite too, such as StarOffice, Corel WordPerfect Office, or Lotus SmartSuite will stop all these worms and macro viruses dead in their tracks, and protect the infected machine as well. But then you're giving up the automation features that make those animated off-color jokes you get in your e-mail so entertaining.

Worms, like viruses, must be removed with great care and by established procedures. Pretty Park and similar viruses, for instance, consist of a single file, FILES32.VXD. You can't simply remove this file, though, because changes have been made in the registry and you won't be able to run any programs at all once it has been removed. You must first correct the registry using REGEDIT. Life_Stages goes a little farther. It removes REGEDIT first so you don't have the tool you need to repair the damage.

HTML E-mail Danger

Many spammers and other low-life send e-mail in HTML format rather than as plain text. Poorly designed mail systems will automatically open HTML mail using the Web browser. The effect is exactly the same as visiting the perpetrator's Web site. In other words, if the perpetrator wants to run a hostile script that e-mails your Quicken file to him, or plants a Trojan, or whatever, he can do it if you haven't tightened your security.

Hostile HTML e-mail will pass through any firewall because it looks like a legitimate document. You can safely examine HTML email using a mail reader that reads it as plain text (but it looks really messy), but you might as well just delete it unread since HTML mail is all advertising anyway.

Protecting Yourself

If you have read the above that should be obvious. All you have to do is move your computers to non-Microsoft software - but you aren't going to do that, are you? So, lets discuss second best.
  • Make good multi-tiered backups of all important data and keep them safe. Do it early and often (might we suggest - daily?). This is your first line of defense and your last resort when everything else goes wrong. Don't screw it up.

  • You must install and keep up-to-date a good anti-virus program. By up-to-date I mean updating it every few weeks and immediately every time a major new threat is announced.

  • Train users to be very suspicious of e-mail attachments they aren't expecting, even if they appear to be from someone they know and trust. Even if they have "safe" file extensions like .TXT (Windows often hides the real extension). User training has its limits because virus writers have available a lot of social engineering tricks they haven't even begun to exploit yet.

  • Turn off automatic execution of macros in Microsoft Office. Of course, it'll bitch about this because Microsoft wants them turned on, but that's a cost of safety. Remember to turn them off again after any reinstall.

  • Uninstall Microsoft Scripting Host (Control Panel / Install/Uninstall Software) if you can do without most integration and automation features.

  • Install Microsoft's security fix if you can do without integration and automation features entirely and permanently.

  • Your up-to-date anti-virus software can be made out-of-date overnight by a new virus. A virus can be launched in Asia at 2:00am, and it's on your system at 10:00am, so you need to check a virus news site every morning or subscribe to a notification service. If you're in the U.S. people in Europe have probably already been hit and the news is out.

  • If you have a DSL or Cable Modem connection to the Internet, implement a firewall or at least invasion detection software. See our article on Security with DSL and Cable Modems for a lot more detail. Without these measures, if the viruses and worms don't get you, the script kiddies probably will.

©:Andrew Grygus - Automation Access -
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners